Security testing

Network security testing is performed on a network to ensure all security implementations are operating as expected. Typically, network security testing is conducted during the implementation and operational stages, after the system has been developed, installed, and integrated.

Security testing provides insight into various administrative tasks, such as risk analysis and contingency planning. It is important to document the results of security testing and make them available for staff involved in other IT areas.

During the implementation stage, security testing is conducted on specific parts of the network. After a network is fully integrated and operational, a Security Test and Evaluation (ST&E) is performed. An ST&E is an examination of the protective measures that are placed on an operational network.

Objective of ST&E:

  • Uncover design, implementation, and operational flaws that could lead to the violation of the security policy.
  • Determine the adequacy of security mechanisms, assurances, and device properties to enforce the security policy.
  • Assess the degree of consistency between the system documentation and its implementation.
Types of Network Tests

After a network is operational, ascertain its security status. Many security tests can be conducted to assess the operational status of the network:

  • Penetration testing – Network penetration tests, or pen testing, simulate attacks from malicious sources. The goal is to determine the feasibility of an attack and possible consequences if one were to occur.
  • Network scanning – Includes software that can ping computers, scan for listening TCP ports and display which types of resources are available on the network. Some scanning software can also detect user names, groups and shared resources. Network administrators can use this information to strengthen their networks.
  • Vulnerability scanning – Includes software that can detect potential weaknesses in the tested systems. These weaknesses can include misconfiguration, blank or default passwords, or potential targets for DoS attacks. Some software allows administrators to attempt to crash the system through the identified vulnerability.
  • Password cracking – Includes software that is used to test and detect weak passwords that should be changed. Password policies should include guidelines to prevent weak passwords.
  • Log review – System administrators should review security logs to identify potential security threats. Abnormal activity should be investigated using filtering software to scan lengthy log files.
  • Integrity checkers – An integrity checking system detects and reports on changes in the system. Most of the monitoring is focused on the file system. However, some checking systems can report on login and logout activities.
  • Virus detection – Virus detection software can be used to identify and remove computer viruses and other malware.
Applying Network Test Results

Network security testing results can be used in several ways:

  • To define mitigation activities to address identified vulnerabilities
  • As a benchmark to trace the progress of an organization in meeting security requirements
  • To assess the implementation status of system security requirements
  • To conduct cost and benefit analysis for improvements to network security
  • To enhance other activities, such as risk assessments, certification and authorization (C&A), and performance improvement efforts
  • As a reference point for corrective action
Network Testing Tools

There are many tools available to test the security of systems and networks. Some of these tools are open source while others are commercial tools that require licensing. Various software tools can be used to perform network testing including:

  • Nmap/Zenmap Discovers computers and services on a computer network, thus creating a map of the network.
    Nmap is a commonly used, low-level scanner that is available to the public. It has an array of excellent features which can be used for network mapping and reconnaissance. The basic functionality of Nmap allows the user to accomplish several tasks:

    • Classic TCP and UDP port scanning Searches for different services on one host.
    • Classic TCP and UDP port sweeping – Searches for the same service on multiple hosts.
    • Stealth TCP and UDP port scans and sweeps – Similar to classic scans and sweeps, but harder to detect by the target host or IPS.
    • Remote operating system identification – This is also known as OS fingerprinting.
  • SuperScan Port scanning software designed to detect open TCP and UDP ports, determine what services are running on those ports, and to run queries, such as whois, ping, traceroute, and hostname lookups.
    SuperScan is a Microsoft Windows port scanning tool. It runs on most versions of Windows and requires administrator privileges. SuperScan version 4 has a number of useful features:

    • Adjustable scanning speed
    • Support for unlimited IP ranges
    • Improved host detection using multiple ICMP methods
    • TCP SYN scanning
    • UDP scanning (two methods)
    • Simple HTML report generation
    • Source port scanning
    • Fast hostname resolution
    • Extensive banner grabbing capabilities
    • Massive built-in port list description database
    • IP and port scan order randomization
    • A selection of useful tools, such as ping, traceroute, and whois
    • Extensive Windows host enumeration capability
  • SIEM (Security Information Event Management) – A technology used in enterprise organizations to provide real time reporting and long-term analysis of security events.
    Security Information Event Management (SIEM) is a technology used in enterprise organizations to provide real time reporting and long-term analysis of security events. SIEM evolved from two previously separate products: Security Information Management (SIM) and Security Event Management (SEM).
    IEM combines the essential functions of SIM and SEM to provide:

    • Forensic analysis – The ability to search logs and event records from sources throughout the organization provides more complete information for forensic analysis.
    • Correlation – Examines logs and events from disparate systems or applications, speeding detection of and reaction to security threats.
    • Aggregation – Aggregation reduces the volume of event data by consolidating duplicate event records.
    • Retention – Reporting presents the correlated and aggregated event data in real-time monitoring and long-term summaries.

    SIEM provides details on the source of suspicious activity, including:

    • User information (name, authentication status, location, authorization group, quarantine status)
    • Device information (manufacturer, model, OS version, MAC address, network connection method, location)
    • Posture information (device compliance with corporate security policy, antivirus version, OS patches, compliance with mobile device management policy)
  • GFI LANguard Network and security scanner which detects vulnerabilities
  • Tripwire Assesses and validates IT configurations against internal policies, compliance standards, and security best practices
  • Nessus Vulnerability scanning software, focusing on remote access, misconfigurations, and DoS against the TCP/IP stack
  • L0phtCrack Password auditing and recovery application
  • Metasploit Provides information about vulnerabilities and aids in penetration testing and IDS signature development

 

Security Policy Overview

The Secure Network Life Cycle is a process of assessment and re-evaluation of equipment and security needs as the network changes.

A security policy is a set of security objectives for a company, rules of behavior for users and administrators, and system requirements. These objectives, rules, and requirements collectively ensure the security of a network, the data, and the computer systems in an organization. Much like a continuity plan, a security policy is a constantly evolving document based on changes in technology, business, and employee requirements.

A comprehensive security policy accomplishes several tasks:

  • It demonstrates an organization’s commitment to security.
  • It sets the rules for expected behavior.
  • It ensures consistency in system operations, software and hardware acquisition and use, and maintenance.
  • It defines the legal consequences of violations.
  • It gives security staff the backing of management

A security policy may include the following:

  • Identification and authentication policies – Specifies authorized persons that can have access to network resources and outlines verification procedures.
  • Password policies – Ensures passwords meet minimum requirements and are changed regularly.
  • Acceptable use policies – Identifies network resources and usages that are acceptable to the organization. It may also identify ramifications if this policy is violated.
  • Remote access policies – Identifies how remote users can access a network and what is accessible via remote connectivity.
  • Network maintenance policies – Specifies network device operating systems and end user application update procedures.
  • Incident handling policies – Describes how security incidents are handled.

One of the most common security policy components is an acceptable use policy (AUP). This can also be referred to as an appropriate use policy. This component defines what users are allowed and not allowed to do on the various system components. This includes the type of traffic that is allowed on the network. The AUP should be as explicit as possible to avoid misunderstanding.

Security Policy Audience

The audience for the security policy is anyone who has access to the network.

The internal audience includes various personnel, such as managers and executives, departments and business units, technical staff, and employees.

The external audience is also a varied group that includes partners, customers, suppliers, consultants, and contractors.

The audience determines the content of the policy.

Security Policy Hierarchy

Most corporations use a suite of policy documents to meet their various needs. These documents are often broken into a hierarchical structure, as shown in the figure:

  • Governing policy – High-level treatment of the security guidelines that are important to the entire company. Managers and technical staff are the intended audience. The governing policy controls all security-related interactions among business units and supporting departments in the company.
    The governing policy aligns closely with existing company policies and is placed at the same level of importance as these other policies. This includes human resource policies and other policies that mention security-related issues, such as email, computer use, or related IT subjects.
  • Technical policy – Used by security staff members as they carry out security responsibilities for the system. These policies are more detailed than the governing policy and are system-specific or issue-specific. For example, access control and physical security issues are described in a technical policy.
    Technical policies are broken down into specified technical components, including:

    • General policies – Includes the AUP, account access request policy, acquisition assessment policy, audit policy, information sensitivity policy, risk assessment policy, and the global web server policy.
    • Telephony policy – Defines the policy for using the corporate phone and FAX lines.
    • Email and communications policy – Includes generic email policy and automatically forwarded email policy.
    • Remote access policy – Includes a VPN policy and may include a dial-in access policy if still supported by the organization.
    • Network policy – Includes an extranet policy, minimum requirements for network access policy, network access standards, router and switch security policy, and server security policy.
    • Application policy – Includes an acceptable encryption policy, application service provider (ASP) policy, database credentials coding policy, inter-process communications policy, a project security policy, and a source code protection policy.
  • End user policy – Covers all security topics that are important to end users. End users can include employees, customers, and any other individual user of the network.
    These policies are generally grouped together into a single document for ease of use. End user policies might overlap with technical policies, but may also include:

    • Identity policy – Defines rules and practices for protecting the organization’s network from unauthorized access. These practices help reduce the potential for identity information getting into the wrong hands.
    • Password policy – Passwords are an important aspect of computer security. A password policy defines the rules that all users must follow when creating and securing their passwords.
    • Antivirus policy – This policy defines standards for protecting an organization’s network from any threat related to viruses, worms, or Trojan horses.
Security Policy Documents

The security policy documents are high-level overview documents. The security staff uses detailed documents to implement the security policies. These include the standards, guidelines, and procedures documents.

Standards Documents

Standards help an IT staff maintain consistency in the operations of the network. Standards documents include the technologies that are required for specific uses, hardware and software versioning requirements, program requirements, and any other organizational criteria that must be followed. This helps IT staff improve efficiency and simplicity in design, maintenance, and troubleshooting.

One of the most important security principles is consistency.

Guideline Documents

Guidelines are a list of suggestions on how to do things more efficiently and securely. They are similar to standards, but are more flexible and are not usually mandatory. Guidelines can be used to define how standards are developed and to guarantee adherence to general security policies.

Some of the most helpful guidelines are found in organizational repositories called Best Practices. In addition to an organization’s defined best practices, guidelines are also available from:

  • National Institute of Standards and Technology (NIST) Computer Security Resource Center.
  • National Security Agency (NSA) Security Configuration Guides.
  • The Common Criteria standard.
Procedure Documents

Procedure documents are longer and more detailed than standards and guidelines. Procedure documents include implementation details that usually contain step-by-step instructions and graphics.

The figure shows an example of a flight procedure manual that contains the step-by-step instructions that pilots must follow before take-off. Similarly, a network technician would refer to the organization’s accepted procedure for securely deploying a new Layer 2 switch in the network infrastructure.

Large organizations must use procedure documents to maintain the consistency of deployment that is necessary for a secure environment.

Roles and responsibilities
Organizational Reporting Structure

All persons in an organization, from the Chief Executive Officer (CEO) to the newest hires, are considered end users of the network and must abide by the organization’s security policy. Developing and maintaining the security policy is delegated to specific roles within the IT department.

Common Executive Titles

Some of the more common executive titles include:

  • Chief Executive Officer (CEO) – Ultimately responsible for the success of an organization. All executive positions report to the CEO.
  • Chief Technology Officer (CTO) – Identifies and evaluates new technologies. Directs any new technology development. Responsible for maintaining and improving existing systems. Provides leadership regarding all technology-related issues that support operations. The CTO is responsible for technology infrastructure.
  • Chief Information Officer (CIO) – Responsible for all IT and computer systems that support enterprise goals. Directs successful deployment of new technologies and work processes. In small to medium-sized organizations, this role is often combined with the CTO. The CIO provides leadership when processes and practices supporting the flow of information are developed.
  • Chief Security Officer (CSO) – Develops, implements, and manages the organization’s security strategy and programs. Provides leadership for the development of any processes associated with the business operation, including safeguarding intellectual property. The CSO must limit exposure to liability in all areas of financial, physical, and personal risk.
  • Chief Information Security Officer (CISO) – The CISO has a specific focus on IT security. The CISO is responsible for developing and implementing the security policy. The CISO may be the primary author of the security policy or provide leadership to other authors. In any case, the CISO is responsible and accountable for the security policy content
Security awareness and training
Security Awareness Program
Technical, administrative, and physical security is easily breached if the end user community is not purposefully abiding by security policies. To help ensure the enforcement of the security policy, a security awareness program must be put in place. Leadership must develop a program that keeps everyone aware of security issues and educates staff on how to work together to maintain the security of their data.

A security awareness program reflects the business needs of an organization tempered by known risks. It informs users of their IT security responsibilities and explains the rules of behavior for using the IT systems and data within a company. This program must explain all IT security policies and procedures.

It disseminates the information that all end users need to effectively conduct business in a way that protects the organization from loss of intellectual capital, critical data, and even physical equipment. The security awareness program also details the sanctions that the organization imposes for noncompliance. This portion of the program should be part of all new hire orientations.

A security awareness program usually has two major components:

  • Awareness campaigns
    Awareness campaigns are usually aimed at all levels of the organization, including executive positions. Security awareness efforts are designed to change behavior or reinforce good security practices.
    There are several methods of increasing security awareness:

    • Lectures, videos
    • Posters, newsletter articles, and bulletins
    • Awards for good security practices
    • Reminders, such as login banners, mouse pads, coffee cups, and notepads
  • Training and education
    An effective security training course requires proper planning, implementation, maintenance, and periodic evaluation. The life cycle of a security training course includes several steps:

    Step 1. Identify course scope, goals, and objectives – The scope of the course provides training to all types of people who interact with IT systems. Because users need training that relates directly to their use of particular systems, it is necessary to supplement a large organization-wide program with more system-specific courses.

    Step 2. Identify and educate training staff – It is important that trainers have sufficient knowledge of computer security issues, principles, and techniques. It is also vital that they know how to communicate information and ideas effectively.

    Step 3. Identify target audiences – Not everyone needs the same degree or type of computer security information to perform an assigned job. Security training courses that present only the information that is needed by the particular audience and omit irrelevant information have the best results.

    Step 4. Motivate management and employees – Consider using motivational techniques to show management and employees how their participation in a training course benefits the organization.

    Step 5. Administer the courses – Important considerations for administering the course include selecting appropriate training methods, topics, materials, and presentation techniques.

    Step 6. Maintain the courses – Stay informed of changes in computer technology and security requirements. Training courses that meet the needs of an organization today can become ineffective when the organization starts to use a new application or changes its environment, such as the deployment of VoIP.

    Step 7. Evaluate the course effectiveness – An evaluation seeks to ascertain how much information is retained, to what extent computer security procedures are being followed, and the general attitude toward computer security.

    Educational Program

    Education integrates all the security skills and competencies of the various functional specialties into a common body of knowledge. It adds a multidisciplinary study of concepts, issues, and principles, both technological and social, and strives to produce IT security professionals capable of critical thinking skills and proactive responses.

    certificate programs.

Responding to a security breach

Motive answers the question of why a person committed the illegal act. As a crime is investigated, it is important to start with individuals who might have been motivated to commit the crime.  Having identified likely suspects, the next thing to consider is whether the suspects had the opportunity to commit the crime.

Opportunity answers the question of when and where the person committed the crime. For example, if it can be established that three of the suspects were all participating in a wedding at the time of the security breach, they might have been motivated, but they did not have the opportunity because they were busy doing something else.

Means answers the question of how the person committed the crime. It is pointless to accuse someone who does not have the knowledge, skills, or access to accomplish the crime.

The process of collecting data must be done precisely and quickly. When a security breach occurs, it is necessary to isolate the infected system immediately. Systems should not be shut down or rebooted before the memory is dumped to a file because the system flushes the memory every time a device is powered off. Additionally, a drive image should be taken before working with data on the hard drive.

Multiple copies of the hard drive are usually made after the device is powered down to establish master copies. These master copies are usually locked up in a safe, and investigators use working copies for both the prosecution and the defense. Investigators can determine if data tampering has occurred by comparing working copies to the master copy that has been secured and untouched since the beginning of the investigation.

After data is collected, but before equipment is disconnected, it is necessary to photograph the equipment in place. All evidence must be handled while maintaining a proper chain of custody, meaning that only those individuals with authorization have access to evidence, and all access is documented.

If security protocols are established and followed, organizations can minimize the loss and damages resulting from attacks.